Docker process still runs under root, so if container escapes it, it may be bad for users. Even if it runs under your user, there is a risk for it to access more information than allowed.

There are some notes I made year ago while wotking with CyberFund on CyberNode concept — which is essentially a toolkit to let people run nodes easily and as securely as possible.

One of the conventions was to provide `/cyberdata` mount with different folders and run Docker under cyber user. Ideally each container could run with its own user to prevent access to sensitive data if one container is broken.

May be a little paranoid, but losing private keys is not a joke.

--

--

Devil’s Advocate

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store